LDAP Authentication via IPsec Tunnel

yesh Lv1Posted 07 Aug 2024 18:55

We are facing issue with integrate AD to sangfor firewall. Firewall is on branch location and AD is located on Head Office. Head Office having Palo Alto firewall.

So we created IPsec tunnel and now LAN users can reach AD via IPsec tunnel without any issues.

The issue appear when we try to authenticate AD to Firewall. From firewall cli, there is no reachability to AD server but LAN users can reach the AD.
Full Screen
TAC support mentioned below IP should have reachability to the server.

Screenshot_91.png

I want to know why this IP should have rechability to the Head Office AD ?

By solving this question, you may help 178 user(s).

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

admin Posted 23 Aug 2024 14:38
  
When deploying NGAF 7.5.1 in a Layer 2 environment with virtual wire and behavior management (bridge), issues may arise where wireless VLANs cannot obtain IP addresses via DHCP. This is often due to the default application control policies blocking DHCP DISCOVER packets, which have a source IP of 0.0.0.0 and a destination IP of 255.255.255.255.

Possible Solution:
1) Application Control Policies: Ensure policies allow DHCP traffic by setting both source and destination IPs to "all" and explicitly allowing the DHCP protocol.

2) DHCP Relay Configuration: For environments using DHCP relay, configure the relevant interfaces for both client-side and server-side communication to ensure proper packet transmission.
Zonger Lv5Posted 29 Aug 2024 19:23
  
It is because, the firewall is initiating the authentication request to the AD server. When the firewall attempts to authenticate with the AD server, it sends an authentication request to the AD server's IP address, and the AD server responds with an authentication response. The firewall needs to have a direct or indirect connection (through the IPsec tunnel) to the AD server's IP address in order to receive this response. This is a requirement for the Active Directory authentication protocol to function correctly.
Sheikh_Shani Lv2Posted 31 Aug 2024 13:18
  
Hello Dear

It sounds like you have set up an IPsec tunnel successfully, allowing users on the branch LAN to access the Active Directory (AD) server located at the Head Office. However, the issue arises when the Sangfor firewall tries to authenticate with the AD server.

The firewall's command line interface (CLI) cannot reach the AD server, even though LAN users can. This suggests that there might be a network configuration issue, such as routing or access control lists (ACLs), preventing the firewall from accessing the AD server over the IPsec tunnel.

You should check:
1. Routing configurations on the Sangfor firewall to ensure traffic is directed correctly through the tunnel.
2. Any firewall rules or ACLs on both the Sangfor and Palo Alto firewalls that might block the authentication attempts.
3. Ensure that the correct IP address of the AD server is used in the firewall configurations.

By resolving these issues, the firewall should be able to authenticate with the AD server.

I Can Help:

Change

Board Leaders